[USG Flex 100] No NetBIOS over SSL VPN

Sébastien · September 2020

Hi everyone,

I just set up an SSL VPN on a USG Flex 100 requesting NetBIOS broadcast over this connection but it doesn't work. I would like to access an SMB share on the network, it works on the local network using the computer name but not over the SSL VPN remote connection. Using the IP address in the UNC works correctly on the SSL VPN connection by the way.

Image: https://us.v-cdn.net/6029482/uploads/editor/nr/x19e4nclpcwh.jpg

Any idea of what could be wrong ?

Regards,

Sébastien

Zyxel_Emily · September 2020

Hi @ Sébastien,

Firmware: 4.55(ABUH.0)

Topology:

PC1(192.168.1.33)----(LAN1)USG FLEX 100 (WAN) ----Internet-----PC2 (SSL VPN client: 192.168.70.1)

Note: The SSL VPN pool cannot conflict with any WAN/LAN1/LAN2/DMZ subnet even if they are not in use.

Capture packets on interface lan1.

On PC2, enter \\PC1_hostname

Stop packet capture, download the file and open both captured files.

Check if USG FLEX 100 receives the name query packet from PC2.

If it does receive the name query packet, it means there is no problem with the function “NetBIOS broadcast over SSL VPN”.

Image: https://us.v-cdn.net/6029482/uploads/editor/ic/x2r12vkuqhj9.jpg

Image: https://us.v-cdn.net/6029482/uploads/editor/ed/z5r6sf16fe51.jpg

Sébastien · September 2020

When trying to troubleshoot this issue I found something interesting related to the configuration I made on this USG Flex 100.

Wan IP address is part of the 192.168.1.0/24 subnet, fixed IP 192.168.1.200 (provider box).

As Wan IP address is part of the same subnet as lan1 predefined in the router, I switched all the ports to lan2 (P3 to P6). These ports are now part of the lan2 subnet 192.168.2.0/24. I also disabled lan1 in Interface > Ethernet > Configuration

VPN IP pool is 192.168.2.250 - 254 so in the correct subnet.

What I noticed in the logs is that, when I try to access the share using NetBIOS over VPN, the broadcast is made on the 1.0/24 subnet (port 138) which is not the right one !

Here is the log line :

9

2020-09-21 10:49:30

notice

Security Policy Control

Match default rule, DROP [count=2]

192.168.1.1:138

192.168.1.255:138

ACCESS BLOCK

I just wonder why it "searches" for the NetBIOS name on lan1 despite it knows it is on lan2.

What do you think of that ?

Thanks,

Sébastien

Zyxel_Emily · September 2020

Hi @ Sébastien,

Firmware: 4.55(ABUH.0)

Topology:

PC1(192.168.1.33)----(LAN1)USG FLEX 100 (WAN) ----Internet-----PC2 (SSL VPN client: 192.168.70.1)

Note: The SSL VPN pool cannot conflict with any WAN/LAN1/LAN2/DMZ subnet even if they are not in use.

Capture packets on interface lan1.

On PC2, enter \\PC1_hostname

Stop packet capture, download the file and open both captured files.

Check if USG FLEX 100 receives the name query packet from PC2.

If it does receive the name query packet, it means there is no problem with the function “NetBIOS broadcast over SSL VPN”.

Sébastien · September 2020

Hi Emily,

Thanks a lot for your answer.

You're right, I get an answer when trying to reach the share :

Image: https://us.v-cdn.net/6029482/uploads/editor/34/kkxxquyua91s.jpg

The big question now is why it works with the IP address and not with the computer name as it is resolved correctly. Maybe a Windows issue.

Thanks again,

Sébastien

PS. : I configured this USG to have a similar topology to yours, but I had to add a routing policy to be able to ping the host inside the LAN2.

[USG Flex 100] No NetBIOS over SSL VPN

Accepted Solution

All Replies

Categories

Security Highlight

Security Help Center